Package: otrs2 Version: 2.2.7-2lenny3 Severity: important Tags: upstream patch
Dear maintainer, Recently you fixed one or more security problems according to OSA-2011-03. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: lenny (5.0.10) - use target "oldstable" squeeze (6.0.4) - use target "stable" Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track the progress of this request. I attach the upstream patches for your convenience. For details of this process and the rationale, please see the original announcement [1] and my blog post [2]. 0: [email protected] 1: <[email protected]> 2: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire [email protected] Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- AdminPackageManager.pm 2010/05/20 17:07:50 1.81.2.2 +++ AdminPackageManager.pm 2011/07/28 09:07:35 1.81.2.3 @@ -1,8 +1,8 @@ # -- # Kernel/Modules/AdminPackageManager.pm - manage software packages -# Copyright (C) 2001-2010 OTRS AG, http://otrs.org/ +# Copyright (C) 2001-2011 OTRS AG, http://otrs.org/ # -- -# $Id: AdminPackageManager.pm,v 1.81.2.2 2010/05/20 17:07:50 ub Exp $ +# $Id: AdminPackageManager.pm,v 1.81.2.3 2011/07/28 09:07:35 martin Exp $ # -- # This software comes with ABSOLUTELY NO WARRANTY. For details, see # the enclosed file COPYING for license information (AGPL). If you @@ -18,7 +18,7 @@ use Kernel::System::Web::UploadCache; use vars qw($VERSION); -$VERSION = qw($Revision: 1.81.2.2 $) [1]; +$VERSION = qw($Revision: 1.81.2.3 $) [1]; sub new { my ( $Type, %Param ) = @_; @@ -120,6 +120,9 @@ } } my $LocalFile = $Self->{ConfigObject}->Get('Home') . "/$Location"; + + # do not allow to read file with including .. path (security related) + $LocalFile =~ s/\.\.//g; if ( !-e $LocalFile ) { $Self->{LayoutObject}->Block( Name => 'FileDiff',
--- AdminPackageManager.pm 2011/07/28 09:07:35 1.81.2.3 +++ AdminPackageManager.pm 2011/07/29 11:37:34 1.81.2.4 @@ -2,7 +2,7 @@ # Kernel/Modules/AdminPackageManager.pm - manage software packages # Copyright (C) 2001-2011 OTRS AG, http://otrs.org/ # -- -# $Id: AdminPackageManager.pm,v 1.81.2.3 2011/07/28 09:07:35 martin Exp $ +# $Id: AdminPackageManager.pm,v 1.81.2.4 2011/07/29 11:37:34 martin Exp $ # -- # This software comes with ABSOLUTELY NO WARRANTY. For details, see # the enclosed file COPYING for license information (AGPL). If you @@ -18,7 +18,7 @@ use Kernel::System::Web::UploadCache; use vars qw($VERSION); -$VERSION = qw($Revision: 1.81.2.3 $) [1]; +$VERSION = qw($Revision: 1.81.2.4 $) [1]; sub new { my ( $Type, %Param ) = @_; @@ -123,14 +123,25 @@ # do not allow to read file with including .. path (security related) $LocalFile =~ s/\.\.//g; - if ( !-e $LocalFile ) { + if ( !$File ) { $Self->{LayoutObject}->Block( Name => 'FileDiff', Data => { Location => $Location, Name => $Name, Version => $Version, - Diff => "No such file $LocalFile!", + Diff => "No such file $LocalFile in package!", + }, + ); + } + elsif ( !-e $LocalFile ) { + $Self->{LayoutObject}->Block( + Name => 'FileDiff', + Data => { + Location => $Location, + Name => $Name, + Version => $Version, + Diff => "No such file $LocalFile in local file system!", }, ); }
